Groups criticize FBI plan to require Internet backdoors for wiretaps

U.S. task force reportedly working on plan to severely penalize companies that fail to comply quickly with wiretap orders

Privacy groups are denouncing a federal government move to force Internet companies like Facebook and Google to build backdoors that would let the FBI and other agencies snoop in on real time online communications.

The Washington Post reported this week that a government task force is is working on such a plan at the behest of the FBI and other law enforcement agencies that contend that they can't tap the Internet communications of terrorists and other criminals on such sites.

Privacy advocates say the plan could bankrupt smaller Internet companies and increase chances that hackers can access user data.

FBI officials didn't respond to a request for comment on the report.

The Post reported that the plan would subject Internet companies that failed to respond to federal wiretap requests to an automatic judicial review and fines starting at tens of thousands of dollars. Fines that remain unpaid after 90 days would double daily, the Post reported.

Internet companies would be free to implement any mechanism that would let law enforcement agencies tap Internet communications in real-time, the Post reported, citing unnamed sources.

Analysts say the agencies are proposing the changes due to a growing frustration over their inability to legally spy on communications carried on by suspects over Internet-based services such as webmail, and peer-to-peer services like chat, and social networks.

The Communications Assistance for Law Enforcement Act (CALEA) of 1994 already requires that telecommunications carriers provide government agencies with the ability to track traditional telephony and mobile communications on their networks when legally authorized to do so.

Over the years, the CALEA law has been expanded and interpreted by different courts to also cover broadband Internet service providers and Voice over IP services. Also, the federal government has long had the authority to legally obtain stored electronic communications from ISPs and telecommunication carriers in connection with criminal investigations.

However, the government's ability to monitor real-time email, chat and social network communications has been limited because providers of such services don't have intercept mechanisms in place or do not readily comply with wiretap requests.

The FBI describes such lack of easy access as the 'Going Dark" problem, a term used to describe the growing gap between the government's authority to conduct legal surveillance and their ability to actually do so.

In the past, the FBI has complained about a growing inability to collect evidence against online criminals, drug traffickers and terrorism suspects that use Internet-based communications services to communicate.

Such concerns are valid said Joshua Hall, senior staff technologist at the Center for Democracy and Technology (CDT). However, threatening Internet companies with financial penalties is wrong, Hall said.

"We're not against wiretaps" where warranted, Hall said. "The shot clock is the problem."

Under the proposed approach, any company that receives a federal wiretap request will have a specific time period in which to comply. If the company already has an intercept mechanism in place, complying with the request should not be a problem.

But smaller companies that don't have such a capability in place will be forced to implement something quickly to avoid huge penalties, he said. "Companies are going to say 'let's do this as cheaply as we can,'" Hall said. Such rush jobs would produce insecure and poorly integrated tools, he added.

Alan Butler appellate advocacy counsel at the Electronic Privacy Information Center (EPIC), said the FBI proposal would force companies to build unsecured backdoors into otherwise secure communications services.

Many communications providers currently use encrypted connections to ensure greater security for their users, a policy that makes "perfect sense at a time when cyberattacks are a persistent threat and both Congress and the Obama Administration have been focusing on implementing a comprehensive cybersecurity program," Butler said.

"Many companies, like Google, already have access to the content of their user's communications, but other newer companies are competing for users based on the security and privacy of their services," he noted. "A truly secure communications connection would not have an access point that could be used by some unknown intermediate party to monitor the conversation."

In addition to encouraging the creation of security vulnerabilities, the proposed system of penalties would also degrade some privacy protections, he said.

"In many cases the service provider is the only party able to advocate on behalf of user privacy in the case of an overbroad or otherwise illegal law enforcement surveillance request," Butler said.

The proposal would punish such companies by threatening fines that could quickly outstrip their entire revenue stream. "This would mean that companies like Twitter can no longer advocate for their user's privacy without risking financial ruin."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecuritycyberwarfarewashington postfbiprivacyFacebook

More about CDTElectronic Privacy Information CenterFacebookFBIGoogleTechnologyTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place